Yubikey – the most effective protection against phishing and account takeover

Phishing – who has not had to deal with this, how old, but still an effective technique for taking over someone else's information, that all of us want to protect on its own way and as best. Repeatedly in the various articles suggested, how to protect yourself and your friends from social engineering, mass and targeted, where well prepared attack on company most likely sooner or later will have to the attacker's happy ending. But is it effective using Yubikey keys?

Now let's leave aside any recommendations "safe" to use the computer, email, social networks, etc., because here's introducing the Yubikey is probably the most effective tool to prevent phishing attacks and unauthorized Internet account acquisitions, what ever we had to deal with.

Yubikey Keys

Yubikey is a "key" to protect your account

If you have a mail from Google (Gmail) account on Dropbox, Google + YouTube, Github, Facebook, Twitter and other online services that support the two-step verification when you log on to the site (most often appears It is in the form of SMS messages, which come to the phone when you try to log on) there is a chance that they support (or will support) known as U2F authentication to securely log on to the Web site without to install additional drivers or software manufacturer (key Yubikey can run on all operating systems).

Although the "middle" principle of the Yubikey opera about modern cryptographic methods, it is for the average user does not really matter-for him only the security issue, which is achieved through strong two-factor authentication (2FA) using public and private PGP key with a very strong encryption, RSA 4096, which was used m.in. in Cryptolockerze (and to this day not found methods to decrypt files after the attack of this pest). In this way, the user is protected from phishing, catching session, attacks man-in-the-middle attacks and malware attacks. What's more, this method is easy to use:

  • has been running after "out of the box" in cooperation with the browser Chrome and Firefox coming soon
  • enables immediate authentication to any number of Web services,
  • and what's also important – provides high privacy by generating a new key pair when you sign in to each Web site.

Yubikey in practice

The practice does not differ too much from this, that you meet each day during the use of Web services in support of additional account security in the form of one-time codes via SMS when you log in.

Step 1: depending on the variant of the Yubikey, the price varies. Yubikey found already official distributor (company ePrinus), although the product is offered by the partner ePrinus, InBase (inbase.pl), which specializes in consulting in the information and personal data protection and in providing security solutions and services.

Automatic and two-factor authentication with key Yubikey is carried out in several ways:

1. Standard key Yubikey 4 and version of the Yubikey NANO on computers that have a USB connector.

Key handling Yubikey is trivial.

2. Yubikey authentication in addition to user support USB NEO NFC to a mobile device.

Instead of typing the code from a text message, the two "touch" and "already".
Yubikey Key can be used when you log on to sites from mobile devices.

3. The cheapest version of the Yubikey FIDO U2F Security Key does not support encryption RSA 4096, but ECC-p256 and is dedicated only to computers with USB ports.

Step 2: enable authentication U2F in website, which they support. At the moment these are: Gmail, Dropbox, Google + YouTube, Github, Facebook, Twitter... (please leave comments, who else should get on this list).

For example, for the Google services, go to the logon settings, turn on the two-stage verification using codes SMS (if not using this security), then "add key" (for now works only with Chrome) and follow the simple instructions.

Factor settings for Google account.

Step 3: Now, when you try to log on to Gmail or any other service that supports U2F you traditionally enter login and password – and instead of SMS codes, which can be intercepted by malicious software – simply connect the Yubikey into your USB port or (in the the case of Yubikey NEO) approach the key to mobile NFC communication enabled.

All of this, I just logged in you have to your website in a very secure way.

The magic of cryptography

All of the cryptographic magic "takes place" when you log on to the site with the browser API that verifies Web page address and authentication using public-key cryptography. This means that if the URL does not match (for example, it may be a fake page created for a phishing attack: hxxp://gmail-account.com), is unaware of the risks, you will not be able to log on to the counterfeit site popular the site, and what is important is that the attacker will not be able to get the second component required to log in to someone else's account.

At the present day U2F supports Google Chrome browser (Firefox coming soon). Yubikey keys may be used with Windows, Linux, Mac OS, Android, iOS, and wherever it is possible to run the Google Chrome browser, a computer or mobile device has a USB port/NFC.

The disadvantages of this solution, we need to include the fact that, in the event of a lost key, you will not be able to log on to the service. To protect against this, you may purchase a second key, and "pair" it from the account, but this involves additional costs. In the case of Google, log it is possible to building on the up codes or other phone.

It is worth at the end of the add, that the design of the Yubikey was founded by the Swedish company and the 2-step process verification U2F was jointly developed by Yubico and Google. With Yubikey use employees from companies such as Facebook and Google, and the same company Yubico provides free documentation, thanks to the developers for free can deploy U2F on their websites. This login method works for:

  • CMS Joomla!, which natively supports Yubikey keys,
  • by plugin: Drupal, Magento, WordPress,
  • and not only the CMS-y, the use of the keys of the Yubikey is also possible in the case of logging in to SSH/SFTP servers.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.